Candidate: CVE-2019-7619
PublicDate: 2019-10-30 14:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7619
 https://discuss.elastic.co/t/elastic-stack-6-8-4-security-update/204908
Description:
 Elasticsearch versions 7.0.0-7.3.2 and 6.7.0-6.8.3 contain a username
 disclosure flaw was found in the API Key service. An unauthenticated
 attacker could send a specially crafted request and determine if a username
 exists in the Elasticsearch native realm.
Ubuntu-Description:
Notes:
 seth-arnold> I believe our packages don't have the affected code
Mitigation:
 The API key service can be disabled by setting
 ‘xpack.security.authc.api_key.enabled’ to false in the
 Elasticsearch configuration file.
Bugs:
Priority: untriaged
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N [5.3 MEDIUM]


Patches_elasticsearch:
upstream_elasticsearch: released (6.8.4., 7.4.0)
precise/esm_elasticsearch: DNE
trusty_elasticsearch: ignored (out of standard support)
trusty/esm_elasticsearch: DNE
xenial_elasticsearch: not-affected
bionic_elasticsearch: DNE
disco_elasticsearch: DNE
eoan_elasticsearch: DNE
devel_elasticsearch: DNE